b"Board of Governors of the Federal Reserve System\n\n\n\n\n           Audit of the Board\xe2\x80\x99s\n    Information Security Program\n\n\n\n\n       Office of Inspector General\n\n\n\n                                          November 2010\n\x0c\x0c                                       November 15, 2010\n\n\nBoard of Governors of the Federal Reserve System\nWashington, DC 20551\n\nDear Members of the Board:\n\n      The Office of Inspector General (OIG) is pleased to present its report on the Audit of the\nBoard\xe2\x80\x99s Information Security Program. We performed this audit pursuant to requirements in the\nFederal Information Security Management Act of 2002 (FISMA), Title III, Public Law 107-347\n(December 17, 2002), which requires each agency Inspector General (IG) to conduct an annual\nindependent evaluation of the agency\xe2\x80\x99s information security program and practices. Our specific\naudit objectives, based on the legislation\xe2\x80\x99s requirements, were to evaluate the effectiveness of\nsecurity controls and techniques for selected information systems and compliance by the Board\nof Governors of the Federal Reserve System (Board) with FISMA and related information\nsecurity policies, procedures, standards, and guidelines. We also followed up on the status of the\nBoard\xe2\x80\x99s corrective actions in response to open recommendations from our prior FISMA reports\nand security control reviews of specific systems. We conducted our audit of the Board\xe2\x80\x99s\ncompliance with FISMA from March 2010 through October 2010, and we reviewed security\ncontrols for Board applications throughout the year, in accordance with generally accepted\ngovernment auditing standards. Those standards require that we plan and perform the audit to\nobtain sufficient, appropriate evidence to provide a reasonable basis for our findings and\nconclusions based on our audit objectives. We believe that the evidence obtained provides a\nreasonable basis for our findings and conclusions based on our audit objectives.\n\n      As part of an agency\xe2\x80\x99s annual FISMA reporting, the Office of Management and Budget\n(OMB) requests that both the Chief Information Officer (CIO) and the IG perform analysis of\ncertain information security program components. In April 2010, OMB issued revised reporting\nrequirements for IGs\xe2\x80\x99 analysis of their respective agency\xe2\x80\x99s information security management\nperformance, in line with the requirements of FISMA. In accordance with OMB\xe2\x80\x99s revised\nrequirements, our FISMA review included an analysis of the Board\xe2\x80\x99s information security-\nrelated processes in the following areas: certification and accreditation, continuous monitoring,\nplans of action and milestones (POA&Ms), account and identity management, remote access,\nsecurity configuration management, security training, contractor oversight, contingency\nplanning, and incident response and reporting. Appendix 1 contains our analysis of the Board\xe2\x80\x99s\nprogress in implementing key FISMA requirements and discusses our recommendations and\nobservations in more detail. In addition to this report, we will provide our analysis to OMB\nunder separate cover via automated submission (our response will be submitted with the CIO\xe2\x80\x99s\nresponse to the OMB reporting requirements).\n\x0cMembers of the Board                            2                               November 15, 2010\n\n\n       Overall, we found that the Board\xe2\x80\x99s CIO continues to maintain a FISMA-compliant\napproach to the Board\xe2\x80\x99s information security program that is generally consistent with\nrequirements established by the National Institute of Standards and Technology (NIST) and\nOMB. The Information Security Officer (ISO) continues to issue and update information\nsecurity policies and guidelines, and is piloting a Board-wide information technology (IT) risk\nassessment framework to capture technology, operational, and strategic risks for IT resources.\nAs NIST and OMB continue to develop new guidance and update existing standards and\npublications to transform the traditional Certification and Accreditation (C&A) process into a\nnew Risk Management Framework, opportunities exist for the CIO to continue to mature the\nBoard\xe2\x80\x99s information security processes through further assessment of risks and controls under an\norganization-wide risk management strategy, with a focus on more continuous monitoring and\nautomated methods. Continuous monitoring of security controls is a cost-effective and important\npart of an organization-wide risk management strategy, which enables an agency to maintain an\naccurate understanding of its security risks by selecting subsets of security controls for\nmonitoring on an ongoing basis.\n\n       The Board\xe2\x80\x99s C&A process meets the current standards as prescribed by NIST and OMB,\nbut primarily relies on manual testing and evaluation of the information systems\xe2\x80\x99 security\ncontrols. During the past year, NIST and OMB have begun to issue updated guidance\nhighlighting a new Risk Management Framework that focuses on agencies being able to\ncontinuously monitor security-related information across the agency in a manageable and\nactionable way. Continuous monitoring of security controls is required as part of the security\nauthorization process to ensure controls remain effective over time (after the initial security\nauthorization or reauthorization of an information system) in the face of changing threats,\nmissions, operational environments, and technologies. As additional NIST and OMB guidance\nis issued and becomes effective, agencies will need to automate security-related activities, to the\nextent possible, and acquire tools that correlate and analyze security-related information. Our\nsecurity control reviews show that the CIO continues to implement vulnerability scanning and\nnetwork monitoring tools to expand the Board\xe2\x80\x99s capabilities to identify and defend against cyber\nattacks. The ISO is utilizing these tools and processes to meet NIST and OMB requirements for\ncontinuous monitoring. As additional NIST guidance is issued and becomes effective, a\ndocumented continuous monitoring strategy is needed to analyze how these automated processes,\nwhich are used in day-to-day operations, supplement the ISO\xe2\x80\x99s annual control testing. We\nbelieve an organization-wide risk management strategy, coupled with a continuous monitoring\nstrategy, will provide a more meaningful and mature approach to FISMA compliance and will\nfurther strengthen the Board\xe2\x80\x99s information security posture.\n\n       Our report contains three recommendations. To transform the Board\xe2\x80\x99s C&A process into\nthe NIST Risk Management Framework and implement new NIST requirements for assessing\nsecurity controls, our report includes the following two recommendations to the CIO: (1)\ncontinue to develop and implement a Board-wide IT risk management strategy as required by the\nNIST Special Publication 800-53, Revision 3, Recommended Security Controls for Federal\nInformation Systems and Organizations (SP 800-53, Revision 3), Program Management family\nof controls; and (2) as additional NIST and OMB guidance is issued and becomes effective,\ndevelop a continuous monitoring strategy and implement a continuous monitoring program as\nrequired by SP 800-53, Revision 3, Security Assessment and Authorization family of controls.\n\x0cMembers of the Board                             3                               November 15, 2010\n\n\nOur report also includes a third recommendation, for the CIO to identify all information\ntechnology services provided by organizations other than Board personnel, and determine if they\nneed to be accredited as a third party contractor system or as part of an existing General Support\nSystem (GSS) or major application.\n\n       In addition, our report includes matters for management\xe2\x80\x99s consideration based on our\nanalysis of the Board\xe2\x80\x99s security-related processes. Although not specifically required by NIST\nor OMB requirements, the following actions could help to strengthen the Board\xe2\x80\x99s information\nsecurity posture: (1) under the Board\xe2\x80\x99s certification and accreditation program, provide system\nowners additional information on security assessments of the GSS components, include\nadditional relevant information in system security plans, and implement risk-based sampling as\npart of the security control assessment testing; and (2) under the Board\xe2\x80\x99s configuration\nmanagement program, separately accredit the externally facing components of the IT GSS and\nmajor applications, and clarify guidance to assist system owners in managing application level\nsecurity settings. Appendix 1 contains our analysis of the Board\xe2\x80\x99s progress in implementing key\nFISMA requirements and discusses our recommendations and observations in more detail.\n\n       During this year\xe2\x80\x99s FISMA review, we also followed up on the status of corrective actions\nin response to five open recommendations from our prior FISMA reports and nine open\nrecommendations from two security control reviews. As discussed in appendix 1, we determined\nthat the Board\xe2\x80\x99s corrective actions are sufficient to close two of the four recommendations made\nin our 2009 FISMA report. The other two recommendations relate to improving the POA&M\nand information security training programs. While the ISO has made progress in these areas,\ncorrective action is still underway. In addition, our 2008 FISMA report included a\nrecommendation to ensure that risk assessments adequately identify, evaluate, and document the\nrisks to an information system based on potential threats, vulnerabilities, and controls. As\ndiscussed earlier, the ISO continues to issue and update information security policies and\nguidelines, and is piloting a Board-wide IT risk assessment framework to capture technology,\noperational, and strategic risks for IT resources. We will keep this recommendation open as we\ncontinue to monitor the CIO\xe2\x80\x99s and the ISO\xe2\x80\x99s actions in overseeing the planned enhancements to\nthe risk assessment process. In following up on the Board\xe2\x80\x99s actions in response to two of our\nprior security control reviews, we determined that sufficient actions have been taken to close all\nnine open recommendations. We will continue to follow up on actions taken regarding our\nFISMA and security control review report recommendations as part of future audit and\nevaluation work related to information security.\n\n       As stated previously, we also review security controls implemented for Board applications\non an ongoing basis. During the past year, we reviewed security controls for two Board systems:\n(1) the Board\xe2\x80\x99s public web site system (PubWeb) and (2) the Visitor Registration System. We\nalso reviewed the Federal Reserve System\xe2\x80\x99s National Remote Access Services, and we began a\nreview of third-party applications operated by the Federal Reserve Bank of Richmond in support\nof the Board\xe2\x80\x99s Division of Banking Supervision and Regulation. Our reviews of these systems\xe2\x80\x99\ninformation security controls identified areas where controls need to be strengthened but, given\nthe sensitivity of the issues involved with these reviews, we will be providing the specific results\nto management in separate restricted reports that will be summarized on our publicly available\nwebsite. We performed our application control testing based on selected controls identified in\n\x0cMembers of the Board                            4                              November 15, 2010\n\n\nNIST Special Publication 800-53, Revision 3. The controls are divided into \xe2\x80\x9cfamilies\xe2\x80\x9d (such as\naccess, risk assessment, and personnel security) and include controls that can be categorized as\nsystem-specific or common (applicable across agency systems). Consequently, although our\nfocus was on evaluating specific applications, we also assessed some of the common security\ncontrols that affect most, if not all, of the applications.\n\n      We provided a draft of our report to the Director of IT, in her capacity as the CIO for\nFISMA, for review and comment. Her response is included as appendix 2. In her response, the\ndirector generally agreed with our three recommendations and stated that she intends to take\nimmediate action to address each of the recommendations. This includes updating the Board\xe2\x80\x99s\nprogram documentation to more accurately reflect the risk management and continuous\nmonitoring programs. In addition, she will be reviewing the system inventory with each division\nand office to validate that all contractor services are correctly reflected in the inventory. The\ndirector also plans to leverage the results from the continuous monitoring program to offset\ncompliance testing requirements during 2011.\n\n      We appreciate the cooperation that we received from the Board during our review. The\nprincipal contributors to this report are listed in appendix 3. We are providing copies of this\naudit report to Board management officials. The report will be added to our publicly-available\nweb site and will be summarized in our next semiannual report to Congress. Please contact me if\nyou would like to discuss the audit report or any related issues.\n\n                                           Sincerely,\n\n\n\n                                     Elizabeth A. Coleman\n                                       Inspector General\n\ncc:   Ms. Maureen Hannan\n      Mr. Geary Cunningham\n      Mr. Raymond Romero\n\x0cAPPENDIXES\n\x0c\x0c                                                                                  APPENDIX 1\n\n\nThe Office of Inspector General\xe2\x80\x99s Analysis of the Board\xe2\x80\x99s Progress in\nImplementing Key FISMA and OMB Requirements\nThe following is our analysis of the Board\xe2\x80\x99s progress in implementing key FISMA requirements,\nincluding progress to date and work to be done. Our analysis identified three recommendations\n(see pages 9, 16, and 24, respectively).\n\nPolicies and Procedures\n\nRequirement:\n\n       FISMA requires organizations to develop and implement an organization-wide\n       information security program for the information and information systems that support\n       the operations and assets of the organization, including those provided or managed by\n       another organization, contractor, or other source. For non-national security programs and\n       information systems, agencies must follow NIST standards and guidelines. For legacy\n       information systems, agencies are expected to be in compliance with NIST standards and\n       guidelines within one year of the publication date unless otherwise directed by OMB.\n       For information systems under development or for legacy systems undergoing significant\n       changes, agencies are expected to be in compliance with the NIST publications\n       immediately upon deployment of each information system.\n\n       Although detailed guidance is still being developed, NIST has issued the following\n       Special Publications (SP) that reference a new Risk Management Framework with a\n       focus on continuous monitoring:\n\n          \xe2\x80\xa2    In August 2009, NIST issued an updated version of SP 800-53, Revision 3; and in\n               June 2010, issued SP 800-53A, Revision 1, Guide for Assessing the Security\n               Controls for Federal Information and Information Systems; and\n          \xe2\x80\xa2    In February 2010, NIST issued Special Publication 800-37, Revision 1, Guide for\n               Applying the Risk Management Framework to Federal Information Systems.\n\n       In addition, within the next year, NIST is scheduled to release SP 800-30, Revision 1,\n       Guide to Conducting Risk Assessments; and SP 800-137, Guide for Continuous\n       Monitoring of Information Systems and Organizations.\n\n       In particular, NIST SP 800-37, Revision 1, updates an earlier guide for assessing security\n       controls and transforms the traditional C&A process into a six-step Risk Management\n       Framework. NIST\xe2\x80\x99s Risk Management Framework promotes the concept of near real-\n       time risk management and ongoing information system authorization through the\n       implementation of robust continuous monitoring processes; and provides emphasis on the\n       selection, implementation, and assessment of security controls, information systems\n       authorization, and security control monitoring. Figure 1 shows NIST\xe2\x80\x99s Risk\n       Management Framework and identifies NIST\xe2\x80\x99s related guidance.\n\n\n\n                                               7\n\x0c                                                                                APPENDIX 1\n\n\n      Figure 1. NIST\xe2\x80\x99s Risk Management Framework\n\n\n\n\n      According to NIST\xe2\x80\x99s development schedule for FISMA publications, Special Publication\n      800-39, Managing Risk from Information Systems: An Organizational Perspective, is\n      scheduled to be finalized in February 2011, and will provide guidelines for managing\n      overall risk to organizational operations, organizational assets, individuals, and other\n      organizations, resulting from the operation and use of information systems.\n\nProgress to Date:\n\n      The ISO and his staff continue to issue new and updated information security guidance\n      and procedures based on updated NIST guidance, and the ISO is piloting a Board-wide\n      IT risk assessment framework to capture technology, operational, and strategic risks for\n      IT resources. During this past year, the ISO updated the Board\xe2\x80\x99s information security\n      program to reflect changes to individual security controls in NIST SP 800-53, Revision 3.\n      SP 800-53, Revision 3, issued in August 2009, provides updated guidelines for selecting\n      and specifying security controls for information systems to meet the requirements of\n      Federal Information Processing Standard (FIPS) 200, Minimum Security Requirements\n      for Federal Information and Information Systems. To assist system owners with their\n      annual system reviews, the ISO provided training to help system owners identify controls\n      that were new for 2010, and developed FISMA process review checklists that identify the\n      key courses of action necessary to complete the applicable review.\n\nWork To Be Done:\n\n      NIST and OMB have identified requirements for organizational-wide risk management\n      and continuous monitoring, and are finalizing additional detailed guidance. 2011 will be\n      a transition year for the Board\xe2\x80\x99s information security policies and procedures as NIST\n\n                                              8\n\x0c                                                                                   APPENDIX 1\n\n     and OMB issue and develop additional guidance and update existing standards and\n     publications for agencies to implement the new Risk Management Framework. As the\n     CIO starts planning to transition to the new framework, opportunities exist to continue to\n     mature the Board\xe2\x80\x99s information security processes through further assessment of risks\n     and controls under an organization-wide risk management strategy, and a focus on more\n     continuous monitoring and automated methods. One of the changes in SP 800-53,\n     Revision 3, is the addition of the information security Program Management (PM) family\n     of controls. The PM controls focus on the organization-wide information security\n     requirements that are independent of any particular information system and are essential\n     for managing information security programs. The Board\xe2\x80\x99s information security program\n     already addresses many of the controls in the PM family, but prior to fully implementing\n     the Risk Management Framework, the CIO will need to develop and formalize an\n     organization-wide risk management strategy as required by SP 800-53, Revision 3.\n\n     SP 800-37, Revision 1, states that an organization-wide risk management strategy should\n     include: (i) the techniques and methodologies the organization plans to employ to assess\n     information system related security risks and other types of risk of concern to the\n     organization; (ii) the methods and procedures the organization plans to use to evaluate the\n     significance of the risks identified during the risk assessment; (iii) the types and extent of\n     risk mitigation measures the organization plans to employ to address identified risks; (iv)\n     the level of risk the organization plans to accept (risk tolerance); (v) how the organization\n     plans to monitor risk on an ongoing basis given the inevitable changes to an\n     organization\xe2\x80\x99s information systems and their operational environments; and (vi) the\n     degree and type of oversight the organization plans to use to ensure that the risk\n     management strategy is being effectively carried out. In addition, the process should\n     compile and track identified and residual risks noted from annual security assessments\n     and certification testing. Continuous monitoring of security controls is a key component\n     in the Risk Management Framework that would be implemented based on the\n     organization-wide risk management strategy. SP 800-39, when finalized, will provide\n     guidelines for managing overall risk to organizational operations, organizational assets,\n     individuals, and other organizations, resulting from the use of information systems.\n\n     Recommendation 1: We recommend that the CIO continue to develop and implement a\n                       Board-wide IT risk management strategy as required by the NIST\n                       SP 800-53, Revision 3, Program Management family of controls.\n\nCertification and Accreditation Program\n     Certification involves the evaluation of an information system\xe2\x80\x99s management,\n     operational, and technical security controls. Accreditation involves a senior agency\n     official\xe2\x80\x99s authorization of an information system to operate. OMB requires agencies to\n     certify and accredit their information systems in accordance with federal security\n     policies, standards, and guidelines. The Board\xe2\x80\x99s information security program requires\n     that all information systems must be certified and accredited prior to being placed into\n     production. Certified information systems must be re-accredited every three years or if a\n\n\n                                               9\n\x0c                                                                                   APPENDIX 1\n\n      system undergoes a major modification. Identified weaknesses in information systems\n      must be tracked in the respective division\xe2\x80\x99s POA&M.\n\n      Overall, the Board has established and is maintaining a C&A program that is generally\n      consistent with NIST and OMB FISMA requirements. The Board\xe2\x80\x99s information security\n      program currently documents policies and procedures describing the roles and\n      responsibilities of participants in the C&A process; establishes accreditation boundaries;\n      categorizes information systems; applies a minimum baseline of security controls;\n      assesses risks; assesses the security controls; and provides the accreditation official with\n      the security assessment, POA&M, and security plan. However, as the Board transitions\n      to NIST\xe2\x80\x99s new Risk Management Framework, we believe that the Board can more fully\n      utilize operational efficiencies through continuous monitoring that could be incorporated\n      into the FISMA process. Going forward, the Board can improve and integrate both\n      manual and automated monitoring processes into its continuous monitoring processes to\n      mature existing information security processes. Through our security control reviews we\n      have identified many monitoring components already in place, but the monitoring\n      processes need to be incorporated into an organization-wide risk management strategy\n      identified in Recommendation 1 of this report.\n\nPeriodic Risk Assessments\n\nRequirement:\n\n      FISMA requires periodic assessments of the risk and the magnitude of the harm that\n      could result from the unauthorized access, use, disclosure, disruption, modification, or\n      destruction of information and information systems that support the operations and assets\n      of the agency.\n\nProgress to Date:\n\n      The ISO is developing a risk assessment process that will fit into the new NIST Risk\n      Management Framework. The NIST Risk Management Framework builds upon NIST\n      guidance in SP 800-30, which requires system owners to select a minimum baseline of\n      security controls and then conduct a risk assessment to supplement the security control\n      baseline as needed to ensure adequate security. As part of the Board\xe2\x80\x99s information\n      security program, the ISO has developed a Risk Assessment Template and a Risk\n      Assessment Guide to provide a systematic approach that permits information system\n      owners to determine the extent of potential threats and risks associated with their\n      information systems. The information system owner must complete a risk assessment for\n      each system, regardless of whether each is categorized as a GSS, a major application, a\n      standalone minor application, or a subsystem to any of these categories. In 2009, the ISO\n      developed a Supplemental Controls Questionnaire to assist system owners in determining\n      which SP 800-53 controls that are listed as optional or intended for systems that are\n      classified as high risk may be used to mitigate a unique system risk or satisfy a unique\n      system requirement. This year we reviewed a sample of security plans, and we found\n\n\n\n                                               10\n\x0c                                                                                 APPENDIX 1\n\n     that each of the system owners had documented a baseline of controls. Any non-\n     compliance with the baseline controls was documented in a risk assessment template.\n\nWork To Be Done:\n\n     Our 2008 FISMA audit report contained a recommendation that the CIO ensure that risk\n     assessments are adequately identifying, evaluating, and documenting the level of risk to\n     information systems based on potential threats, vulnerabilities, and currently\n     implemented or planned controls, to determine whether additional controls are needed.\n     The current process is focused on documenting risks associated with a system being in\n     compliance with a baseline of controls. In response to our recommendation, the ISO\n     continues to issue and update information security policies and guidelines, and is piloting\n     a Board-wide IT risk assessment framework to capture technology, operational, and\n     strategic risks for IT resources. This process is intended to ascertain what type and level\n     of risks exist, how well the organization is managing these risks, and what residual risks\n     remain.\n\n     In addition, our prior security control reviews identified that individual system risk\n     assessments may not take into consideration the risks accepted by the CIO as the system\n     owner of the infrastructure. To address this issue, the ISO has developed procedures to\n     grant system owners access to IT GSS risk assessments and to (1) require a statement that\n     they have reviewed the IT GSS risk assessment and (2) document any system-specific\n     concerns related to IT GSS risks. The ISO can enhance risk assessments by providing\n     system owners with additional information on risks accepted by the CIO, such as the\n     results of security assessments of the IT GSS. These assessments identify the controls\n     reviewed and tested, and include exposures, concerns, informational findings, and\n     observations that may not be included in the individual system risk assessment. In\n     addition, the assessment reports provide a status of previously identified vulnerabilities.\n     These security control assessment reports could provide additional key information for\n     system owners who rely on infrastructure controls. The ISO is continuing to implement\n     an automated risk assessment tool to provide a structured approach that he believes will\n     provide system owners additional information and will lead to a more thorough risk\n     assessment. The tool is currently being piloted and, once implemented, will provide a\n     structured approach to compliance testing, remediation tracking, and automatic\n     notification.\n\n     At this time, we are keeping the 2008 recommendation open as we continue to monitor\n     the CIO\xe2\x80\x99s and ISO\xe2\x80\x99s actions in overseeing the planned enhancements to the risk\n     assessment process.\n\n     Matter for Management\xe2\x80\x99s Consideration: Provide system owners additional\n     information on security assessments of the GSS components to contribute to a more\n     thorough risk assessment.\n\n\n\n\n                                             11\n\x0c                                                                                  APPENDIX 1\n\n\nSecurity Plans\n\nRequirement:\n\n      FISMA requires that agencies develop security plans for each system in their inventories.\n      A system security plan should be based on the agency-wide plan, provide an overview of\n      the system\xe2\x80\x99s specific security requirements, and describe the controls in place or planned\n      for meeting those requirements. A system security plan should delineate the\n      responsibilities, expected behavior, and training requirements for all individuals who\n      access the system and describe appropriate controls for interconnection with other\n      systems.\n\nProgress to Date:\n\n      The Board\xe2\x80\x99s information security program requires the system owner to develop a\n      security plan based on the complete set of controls required for the system (the baseline\n      controls and any additional controls identified during the risk assessment process). To\n      assist system owners, the ISO has developed security plan templates for major\n      applications, general support systems, and standalone minor applications. An official\n      System Security Plan Approval form is included in the security plan and, by signing it,\n      the system owner is stating that the owner has reviewed the security plan and that the\n      owner believes the security plan accurately and completely describes the security of the\n      system. Approval of a security plan signifies approval of all documents referenced by the\n      security plan and the baseline of security controls. A bundled subsystem security plan\n      requires system owners to attest that all security controls provided by the baseline of\n      controls have been reviewed to determine that the subsystem relies upon the provided\n      GSS or major application security controls, and that the controls satisfy all subsystem\n      control requirements with the exception of any other specific controls documented.\n\n      In our 2009 FISMA report, we found security plans that had not been updated and that\n      referenced obsolete software versions and outdated security settings. As a result, we\n      recommended that the CIO ensure all systems have updated security plans that include all\n      requirements, as part of implementing the new risk assessment process. This past year\n      the ISO implemented C&A planning checklists. The checklists outline the review\n      process for system owners preparing for either a recertification or an annual assessment,\n      and include a checklist for new major and minor applications, existing major and minor\n      applications, and IT GSS subsystems. The checklists require the system owner to\n      indicate that he/she has reviewed and updated the System Security Plan and submitted it\n      to the certifying agent. Our control reviews this year did not identify obsolete software or\n      outdated security settings. We also reviewed a sample of security plans and found each\n      of the system owners had developed security plans, and the subsystems that had been\n      bundled into a GSS had a bundled subsystem security plan completed. As a result, we\n      are closing our recommendation.\n\n\n\n\n                                               12\n\x0c                                                                                     APPENDIX 1\n\n\nWork To Be Done:\n\n      All Board information systems must be supported by a system security plan categorized\n      as a major application, a minor application, or a general support system. The information\n      system owner is responsible for the development and maintenance of a system security\n      plan. Security plans must be reviewed annually. The Board\xe2\x80\x99s information security\n      program requires that security plans include system environment descriptions and\n      diagrams of the system environment. As the Board continues to mature its risk\n      assessment processes, improvement opportunities exist to provide additional relevant\n      details within the security plans, such as additional detailed information regarding system\n      descriptions and diagrams, as well as technical details on servers that could affect a\n      specific application. This enhancement would allow system owners to more fully\n      understand the risks and mitigating factors, and assist in selecting a sample of controls for\n      periodic testing and evaluation.\n\n      Matter for Management\xe2\x80\x99s Consideration: Include additional relevant details within\n      system security plans, such as detailed information regarding system descriptions and\n      diagrams, as well as technical details on servers that could affect a specific application.\n\nPeriodic Testing and Evaluation\n\nRequirement:\n\n      FISMA requires periodic testing and evaluation of the effectiveness of an agency\xe2\x80\x99s\n      information security policies, procedures, and practices. Testing of the management,\n      operational, and technical controls for each system identified in the agency\xe2\x80\x99s inventory\n      should be performed on a risk-based frequency, but not less than annually. As stated\n      earlier, each system must also undergo a periodic C&A to ensure that security controls\n      are commensurate with the risk and magnitude of the harm resulting from unauthorized\n      access, use, disclosure, disruption, modification, or destruction of information contained\n      in the system. The Board\xe2\x80\x99s information security program requires the C&A of a system\n      to include a security assessment. The security assessment is to be performed by an\n      independent certification agent and provide assurance that controls are implemented\n      correctly, working as intended, and producing the desired results. A C&A should be\n      completed before a system is initially placed into operation and every three years\n      thereafter or if the system undergoes a significant change.\n\nProgress to Date:\n\n      The ISO continues to conduct security assessments on a three-year cycle, with all systems\n      undergoing annual testing. Starting in 2009, testing has moved away from an every\n      three-year C&A towards a more continuous monitoring approach. Each year, one-third\n      of the total controls for major applications will be tested, although certain critical controls\n      will still be tested every year. For the GSS, one-third of the individual components will\n      be tested every year.\n\n\n\n                                                13\n\x0c                                                                                  APPENDIX 1\n\n     SP 800-53 recommends that those security controls that are volatile or critical to\n     protecting the information system be assessed at least annually. In our 2009 FISMA\n     report, we identified that the Board\xe2\x80\x99s process of testing one-third of the IT GSS\n     components each year limits the controls tested each year, and some controls are so\n     important to the Board\xe2\x80\x99s information security that they may need to be reviewed\n     annually. We recommended that the CIO test select critical controls within the IT GSS\n     annually. The ISO now includes a subset of controls related to access and identification,\n     configuration management, and contingency for major IT GSS platforms on a quarterly\n     basis. As a result, we are closing our 2009 recommendation on testing select critical\n     controls of the IT GSS annually.\n\nWork To Be Done:\n\n     NIST and OMB have placed a focus on agencies developing abilities to continuously\n     monitor security controls. However, continuous monitoring does not replace security\n     certifications, and not all controls are well suited to continuous monitoring or automation,\n     so other testing methods are required. OMB states that agencies should develop an\n     enterprise-wide strategy for selecting subsets of their security controls to be monitored on\n     an ongoing basis to ensure all controls are assessed during the three-year authorization\n     cycle. The ISO process for assessments for major applications currently includes\n     annually reviewing one-third of the system level management, operational, and technical\n     controls as documented in the system security plans and control baselines, although\n     certain critical controls will still be tested every year. Evaluations of the common\n     controls provided by the GSS on which the systems rely are conducted separately.\n\n     As previously stated, NIST has recently revised its guidance to support organizations in\n     assessing the effectiveness of the security controls that are implemented in federal\n     information systems. The selection and assessment of appropriate security controls are\n     important steps in the comprehensive process of managing risks and maintaining\n     effective security of those information systems. SP 800-53, Revision 3, identifies related\n     security controls across families, and the ISO has tried to assure concurrent testing for\n     those related controls that are synergistically related in their operation. Concurrent\n     testing of related controls, in addition to the testing schema of testing one-third of the\n     controls each year, can work to close any gaps in assessing risk between related controls.\n     A risk-based approach to testing IT GSS components would enhance control testing of\n     the IT GSS components. Currently the ISO tests a random sample of components, but we\n     found during one of our security control reviews that the IT GSS components supporting\n     a critical application were not selected through the random sampling approach.\n\n     The ISO has stated that in 2011, security assessments will be moving to more control-\n     focused testing where they will focus on testing controls across all platforms on a\n     frequency that will vary based on control nature and importance. For instance, some\n     controls may be looked at monthly, some quarterly, some yearly, some every 3 years, etc.\n     How the ISO plans to evaluate the effectiveness of the controls and select the subsets of\n     security controls to be continuously monitored should be part of (1) the Board-wide IT\n\n\n\n                                              14\n\x0c                                                                                     APPENDIX 1\n\n      risk management strategy identified in Recommendation 1 of this report and (2) a\n      continuous monitoring strategy.\n\n      Matter for Management\xe2\x80\x99s Consideration: Implement risk-based sampling as part of\n      the security control assessment testing.\n\nContinuous Monitoring Program\nRequirement:\n\n      One of the recent changes in SP 800-53, Revision 3, requires agencies to establish a\n      continuous monitoring strategy and implement a continuous monitoring program.\n      Although NIST and OMB have placed a focus on continuous monitoring, FISMA has\n      always required that an agency\xe2\x80\x99s information security program include an entity-wide\n      continuous monitoring program to assess the security state of information systems\n      consistent with NIST and OMB FISMA related requirements. Organizations are required\n      to develop a continuous monitoring program for their information systems and\n      environments in which those systems operate. Continuous monitoring of security\n      controls is required as part of the security authorization process to ensure controls remain\n      effective over time (after the initial security authorization or reauthorization of an\n      information system) in the face of changing threats, missions, environments of operation,\n      and technologies.\n\nProgress to Date:\n\n      OMB states that agencies need to be able to continuously monitor security-related\n      information from across the enterprise in a manageable and actionable way. CIOs, ISOs,\n      and other agency managers all need to have different levels of this information presented\n      to them in ways that enable timely decision-making. To do this, agencies need to\n      automate security-related activities, to the extent possible, and acquire tools that correlate\n      and analyze security-related information. Agencies need to develop automated risk\n      models and apply them to the vulnerabilities and threats identified by security\n      management tools. Previously, the Board\xe2\x80\x99s ISO has tested a subset of controls through\n      annual security reviews primarily using manual techniques, and has expanded this\n      approach through having one-third of the total controls of major applications tested each\n      year. In addition, the ISO has started to develop quarterly information security metrics\n      for senior management. The metrics track both (1) security related metrics, such as\n      incidents reported, and (2) compliance metrics, such as security assessments completed\n      and POA&M statistics.\n\n      In addition, the CIO continues to implement vulnerability scanning and network\n      monitoring tools, including intrusion detection and audit log consolidation processes to\n      identify and defend against cyber attacks. The ISO is utilizing these tools and processes\n      to meet NIST and OMB requirements for continuous monitoring.\n\n\n\n\n                                                15\n\x0c                                                                                 APPENDIX 1\n\n\nWork To Be Done:\n\n      OMB guidance places a focus on continuous monitoring, and as stated above, SP 800-53,\n      Revision 3, requires agencies to establish a continuous monitoring strategy and\n      implement a continuous monitoring program, in the Security Assessment and\n      Authorization (CA) family of controls. Although continuous monitoring of controls has\n      always been required, NIST continues to develop guidance for continuous monitoring.\n      For example, SP 800-137, which will provide a guide for agencies to develop a\n      continuous monitoring program is scheduled to be issued in 2011.\n\n      Continuous monitoring of security controls using automated tools facilitates near real-\n      time risk management. Our security control reviews have identified that the CIO\n      continues to acquire tools that correlate and analyze security-related information. We\n      will continue to review the Board\xe2\x80\x99s capabilities as part of our ongoing FISMA-related\n      audits. As additional NIST guidance is issued and becomes effective, a documented\n      continuous monitoring strategy is needed to analyze how the ISO\xe2\x80\x99s automated monitoring\n      tools and processes, which are used in day-to-day operations, supplement the ISO\xe2\x80\x99s\n      annual control testing. Documenting how the ISO plans to monitor risk through these\n      tools on an ongoing basis should be part of the continuous monitoring strategy and\n      complement the Board-wide IT risk management strategy identified in Recommendation\n      1 of this report.\n\n      Continuous monitoring, in and of itself, does not replace security control assessments. A\n      robust and effective continuous monitoring program will ensure important procedures\n      included in an agency\xe2\x80\x99s security authorization package (as described in system security\n      plans, security assessment reports, and POA&Ms) are updated as appropriate and contain\n      the necessary information for authorizing officials to make credible risk-based decisions\n      regarding the security state of the information system on an ongoing basis.\n\n      Recommendation 2: We recommend that, as additional NIST and OMB guidance is\n                        issued and becomes effective, the CIO develop a continuous\n                        monitoring strategy and implement a continuous monitoring\n                        program as required by NIST 800-53, Revision 3, Security\n                        Assessment and Authorization family of controls.\n\nPlan of Action & Milestones Program\nRequirement:\n\n      FISMA requires agencies to establish a process for addressing any deficiencies in\n      information security policies, procedures, and practices. To implement this requirement,\n      OMB has issued guidance requiring agencies to prepare and submit POA&Ms for all\n      programs and systems where an information technology security weakness has been\n      found. The guidance states that an agency\xe2\x80\x99s POA&M program should track and monitor\n      known information security weaknesses, include documented policies and procedures,\n      and establish and adhere to reasonable remediation dates. The guidance also calls for the\n\n                                              16\n\x0c                                                                                 APPENDIX 1\n\n      CIO to centrally track and independently review and validate the POA&M activities at\n      least quarterly.\n\nProgress to Date:\n\n      The POA&M is a tool to communicate to management the proposed and actual\n      implementation of risk management plans. As reported in our 2009 FISMA report, an\n      agency-wide POA&M process has been in place for many years at the Board. The ISO\n      continues to collect POA&Ms on a quarterly basis from Board divisions and offices that\n      reflect identified information technology security weaknesses or exposures. Also, as\n      outlined in our 2009 FISMA report, the ISO issued POA&M guidance for the Board\n      which states, \xe2\x80\x9cThe Board ISO reviews the Division POA&M for completeness and to\n      determine if any issues identified at the Division level warrant escalation to the agency\n      level POA&M. In addition, the ISO tests closed issues to certify they have been properly\n      mitigated.\xe2\x80\x9d\n\nWork To Be Done:\n\n      Our 2009 FISMA report recommended that the CIO independently verify that appropriate\n      corrective action has been implemented before items are removed from the Board\xe2\x80\x99s\n      POA&M. Even though Board divisions and offices have been reporting information\n      technology security weaknesses, we included a recommendation for improvement actions\n      in our 2009 FISMA report because our security control reviews continue to identify\n      instances where POA&M items that were designated as completed and removed from\n      POA&Ms were only partially or not effectively remediated. This translates into extended\n      security exposures for Board systems.\n\n      In response to our recommendation, the ISO has established new POA&M procedures. A\n      member of the ISO\xe2\x80\x99s staff validates the remediation of action items during a system\n      controls review or otherwise requests documentation to determine if the control related to\n      the POA&M corrective action has been sufficiently completed. Items with insufficient\n      evidence or those that have been delayed will be evaluated as to why the action(s) have\n      not been completed and revised accordingly with an updated completion date. However,\n      at the time of our review, the new process had been implemented for only one division\n      (this division has the largest number of POA&M items). The ISO plans to implement the\n      independent verification of completed POA&M items for all Board divisions during the\n      2011 program year. We will keep our recommendation open and continue to monitor the\n      ISO\xe2\x80\x99s corrective actions on POA&Ms.\n\nAccount and Identity Management Program\nRequirement:\n\n      FISMA requires that the agency has established and is maintaining an account and\n      identity management program that is generally consistent with NIST and OMB FISMA\n      requirements. Identification and authentication includes security controls designed to\n\n                                              17\n\x0c                                                                                    APPENDIX 1\n\n      verify the identity of individual users, processes, or devices as a prerequisite to allowing\n      access to information systems and data. Identification and authentication can be\n      accomplished using various means, such as passwords, card tokens, biometrics, or some\n      combination thereof.\n\nProgress to Date:\n\n      We found that the ISO has established and is maintaining an account and identity\n      management program that is generally consistent with NIST's and OMB's FISMA\n      requirements. The Board\xe2\x80\x99s information security program includes documented policies\n      and procedures to ensure that the users are granted access based on needs and separation\n      of duties principles. Procedures also ensure accounts are properly issued to new users and\n      are properly terminated when users no longer require access. The Board\xe2\x80\x99s account and\n      identity management program, which is linked to the Board\xe2\x80\x99s personnel system, ensures\n      that accounts are terminated or deactivated once access is no longer required.\n\n      We also found that administrator privileges were appropriately limited. Privileges\n      granted do not result in the capability to perform conflicting functions. The Board\n      utilizes dual accounts for administrators and does not allow shared administrator accounts\n      to ensure the proper tracking of administrator actions.\n\nWork To Be Done:\n\n      The ISO has established documented policies and procedures for account and identity\n      management; however, we noted that localized change-control processes rely primarily\n      on IT Division-wide policies and procedures which do not accurately reflect the tasks\n      performed at the local level. Local change-control processes and procedures utilized for\n      Active Directory updates were not documented in the IT Division\xe2\x80\x99s policies and\n      procedures, and documentation of the local procedures do not reflect the actual work\n      processes. The ISO should consider clarifying the existing account management\n      procedures to accurately reflect all processes currently implemented.\n\n      OMB reporting requirements also inquire whether agencies can identify network devices,\n      and utilize multi-factor authentication. We found that the Board utilizes multi-factor\n      authentication for remote access devices and identification of remote users. However, the\n      Board does not currently identify or authenticate devices that are attached to the network\n      or have the capability to distinguish these devices from users. Devices that join the\n      network cannot currently be identified or authenticated, although users\xe2\x80\x99 access is\n      controlled. We determined that compensating controls are in place, and several\n      initiatives are currently underway, at the local and the Federal Reserve System (System)\n      level, to identify devices.\n\n\n\n\n                                               18\n\x0c                                                                                  APPENDIX 1\n\n\nRemote Access Program\nRequirement:\n\n      NIST requires agencies to establish and maintain a remote access program that (1)\n      includes documented policies and procedures for authorizing, monitoring, and controlling\n      all methods of remote access; (2) protects against unauthorized connections or subversion\n      of authorized connections; and (3) uniquely identifies and authenticates users for all\n      access.\n\nProgress to Date:\n\n      As part of our 2010 FISMA work in analyzing the Board\xe2\x80\x99s remote access program, we\n      reviewed the System\xe2\x80\x99s National Remote Access Services (NRAS) infrastructure. NRAS\n      delivers enterprise-level mobile and remote-access services to the Board and Reserve\n      Banks. Our review found that while NRAS is not covered under the Board\xe2\x80\x99s information\n      security program, there are documented policies and procedures for authorizing,\n      monitoring, and controlling methods of remote access. NRAS protects against\n      unauthorized connections, encrypts files on transmission, and uniquely identifies users.\n\nWork To Be Done:\n\n      Our review of the security controls for NRAS identified various improvement\n      opportunities that we will report under a separate, restricted report to the Board\xe2\x80\x99s CIO.\n      While we did not identify any significant improvement opportunities, we did note that\n      NRAS is not fully in compliance with FISMA and the Board\xe2\x80\x99s information security\n      program. NRAS is considered a contracted service\xe2\x80\x94it is not an application that stores or\n      processes Board data, and it is not listed on the Board\xe2\x80\x99s FISMA inventory. As described\n      in our 2009 FISMA report, the Reserve Banks have established plans to implement an\n      enterprise information security program based on the NIST framework. The Reserve\n      Banks plan to transition over multiple years. As the Reserve Banks implement a FISMA\n      compliant program, NRAS will be brought into compliance. We will continue to monitor\n      the CIO\xe2\x80\x99s and ISO\xe2\x80\x99s actions in overseeing the Reserve Banks\xe2\x80\x99 compliance with FISMA\n      as they transition to an information security program based on the NIST framework.\n\nSecurity Configuration Management Program\nRequirement:\n\n      FISMA requires that the agency has established and is maintaining a security\n      configuration management program that is generally consistent with NIST and OMB\n      FISMA requirements. Configuration management comprises a collection of activities\n      focused on establishing and maintaining the integrity of products and systems, through\n      control of the processes for initializing, changing, and monitoring the configurations of\n      those products and systems.\n\n\n                                              19\n\x0c                                                                                   APPENDIX 1\n\n      A key to ensuring the confidentiality, integrity, and availability of any information\n      system is implementing structured processes for managing the inevitable changes that\n      will occur during the system\xe2\x80\x99s life cycle. Such processes, collectively referred to as\n      configuration management, include evaluating, authorizing, testing, tracking, reporting,\n      and verifying both hardware and software changes. Inadequate configuration\n      management controls increase the risk that unauthorized programs or untested changes\n      could inadvertently or deliberately be implemented and negatively affect system\n      performance or security.\n\nProgress to Date:\n\n      The Board has established and is maintaining a security configuration management\n      program that is generally consistent with NIST and OMB FISMA requirements. The ISO\n      has documented policies and procedures, and standard baseline configurations for IT GSS\n      components that have been developed and continue to be updated in operating\n      environment documents. The operating environment documents provide details on\n      various monitoring tools the ISO has implemented to monitor and deploy changes to\n      configurations, including Federal Desktop Core Configuration settings. The ISO\n      employs automated tools to apply patches and security related updates to desktop\n      workstations, and a change control system to document changes to configuration settings.\n      Many of these tools are used by IT support staff in their day-to-day operations. These\n      tools could be further utilized to reduce the reliance on the current manual testing of\n      controls, under the continuous monitoring strategy discussed in Recommendation 2 of\n      this report.\n\nWork To Be Done:\n\n      The management of security configurations of infrastructure components is challenging\n      in terms of both complexity and frequency. The continual changes to security settings\n      are essential based on changing security threats and vulnerability. The Board\xe2\x80\x99s\n      infrastructure includes internal servers and applications that also face externally outside\n      (the internet) the Board\xe2\x80\x99s firewall. These components require specific configuration\n      settings based on external threats and potential vulnerabilities. For some systems that\n      contained both internally and externally facing components, we found the Board utilizes\n      one set of baseline of controls, operating environment documents, and procedures for\n      day-to-day operations of the servers and applications. However, having the same\n      documentation may not be sufficient to distinguish between the internally and externally\n      facing environments, and more comprehensive documentation may be necessary for\n      externally facing servers and applications. The CIO may want to consider separately\n      accrediting the externally facing components of the IT GSS and major applications.\n\n      In addition, the Board\xe2\x80\x99s information security program includes a configuration\n      management policy that requires configuration baselines to be developed for and applied\n      to each type of infrastructure component. However, our security control review found\n      that the information security program does not provide detailed procedures for\n      establishing and managing application security settings. Although the ISO requires a\n\n\n                                               20\n\x0c                                                                                 APPENDIX 1\n\n      software security review for all commercial off-the-shelf products, we found a software\n      component for a major application that requires configuration settings, but which was not\n      documented as part of the major application\xe2\x80\x99s security plan. Clarifying guidance would\n      further assist system owners in managing application level security settings across Board\n      applications. We will report on this specific issue in our security control review report.\n\n      Matters for Management\xe2\x80\x99s Consideration: Separately accredit the externally facing\n      components of the IT GSS and major applications, and clarify guidance to assist system\n      owners in managing application level security settings.\n\nSecurity Training Program\nRequirement:\n\n      FISMA requires that an agency\xe2\x80\x99s information security program include security\n      awareness training to inform all personnel, including contractors and other users of\n      information systems that support the agency\xe2\x80\x99s operations and assets, of the information\n      security risks associated with their activities, as well as their responsibilities for\n      complying with agency policies and procedures. FISMA also requires that the CIO train\n      and oversee personnel with significant responsibilities for information security. NIST\n      and OMB require that the program includes (a) security awareness training for the entire\n      staff, (b) training content based on the organization and roles, and (c) tracking of\n      employees with significant information security responsibilities that require specialized\n      training.\n\nProgress to Date:\n\n      The Board continues to improve upon its interactive computer-based security awareness\n      training that complies with NIST and OMB FISMA requirements. All Board employees,\n      contractors, and interns are required to complete an annual security awareness quiz that\n      includes topics such as incident handling, data breach notification, information\n      classification and handling, permissible use and privacy policy, handling personally\n      identifiable information, and phishing-fraudulent e-mails. The ISO also continues to\n      provide additional computer-based training modules on topics such as mobile storage\n      devices and international travel, and the Board\xe2\x80\x99s overall information security program.\n      The ISO has also provided a module for new Board employees.\n\n      Board divisions report training for personnel with significant information system security\n      responsibilities to the ISO. In addition, the Information Security Compliance unit\n      continues to offer several versions of in-house FISMA training to Board personnel. The\n      training modules cover both FISMA compliance requirements and Board-specific\n      requirements for system documentation, procedures, and implementation of security\n      controls. The ISO also plans on meeting with individual system owners to discuss their\n      FISMA responsibilities.\n\n\n\n\n                                              21\n\x0c                                                                                  APPENDIX 1\n\n\nWork To Be Done:\n\n      The Board continues to make improvements in the quality, tracking, and monitoring of its\n      security awareness training program. The training program is geared towards creating\n      awareness of FISMA requirements and the Board Information Security Program for\n      various end users, including system owners, developers, managers, quality assurance\n      analysts, and authorizing officials who are responsible for making decisions regarding\n      information systems.\n\n      Our 2009 FISMA Report contained a recommendation that the CIO provide mandatory\n      specific FISMA training for selected staff with FISMA responsibilities. As stated above,\n      the Information Security Compliance unit offers several versions of in-house training to\n      Board personnel; however, this FISMA training continues to be optional and not\n      mandatory for personnel with significant information system security responsibilities. In\n      performing our 2010 FISMA fieldwork and our analysis of FISMA training, we\n      continued to identify key individuals responsible for various aspects of ensuring the\n      security of Board systems who had not attended any session of the FISMA training\n      provided by the CIO. As stated in our 2009 FISMA report, our security control reviews\n      continue to identify deficiencies that we feel may have been avoided if FISMA training\n      on NIST standards and guidelines and Board security policies, procedures, and practices\n      was mandatory.\n\n      Our 2010 security control reviews continue to indicate that FISMA training for Board\n      information system personnel could be beneficial in securing the Board\xe2\x80\x99s information\n      systems by instructing information system personnel on how to implement controls and\n      meet NIST requirements. Going forward, as the ISO transitions to more continuous\n      monitoring of controls, training will be necessary to ensure that personnel responsible for\n      day-to-day operations are fully aware of their FISMA responsibilities. We believe that\n      the training should have a focus on areas of non-compliance or technical deficiencies that\n      have been identified not only by the OIG control reviews, but also by the ISO\xe2\x80\x99s staff who\n      perform control reviews of the Board\xe2\x80\x99s information systems. We will continue to keep\n      this recommendation open as we monitor the ISO\xe2\x80\x99s actions to improve staff\xe2\x80\x99s knowledge\n      of and training in FISMA.\n\nContractor Oversight Program\nRequirement:\n\n      FISMA requires agencies to provide information security for the information and\n      information systems that support the operations and assets of the agency, including those\n      provided or managed by another agency, contractor, or other source. OMB requires that\n      the agency develop policies and maintain a program to oversee systems operated on its\n      behalf by contractors or other entities.\n\n\n\n\n                                              22\n\x0c                                                                                  APPENDIX 1\n\n\nProgress to Date:\n\n      The Board\xe2\x80\x99s third party applications are primarily located within the Federal Reserve\n      Banks. Although the System maintains its own information security program, systems\n      that process and store Board information are required to be certified and accredited in\n      accordance with the Board\xe2\x80\x99s information security program. The ISO has established and\n      maintains a program to obtain assurance that security controls of selected systems\n      operated by Federal Reserve Banks are effectively implemented and comply with the\n      Board\xe2\x80\x99s information security program. The program, which is updated annually, includes\n      policies and procedures and an inventory of systems that identifies interfaces.\n\n      The ISO coordinates with the Board\xe2\x80\x99s Division of Banking Supervision and Regulation\xe2\x80\x99s\n      Information Security and Continuity Management Section (ISCM), which serves as the\n      focal point for FISMA compliance of the Reserve Banks\xe2\x80\x99 FISMA assets. The ISCM\n      provides annual training on the Board\xe2\x80\x99s information security program to Reserve Bank\n      staff with FISMA- related responsibilities.\n\n      The ISO has overall responsibility to ensure contractor systems comply with the Board\xe2\x80\x99s\n      information security program and conducts security assessments of systems within the\n      Reserve Banks that store or process Board data. In addition, the ISCM conducts their\n      own review of the Reserve Banks, in addition to the certification assessments conducted\n      by the ISO. The reviews focus on continuous monitoring activities and a review of\n      security controls from the security baselines, as well as common controls, such as\n      personnel security, which are outside of the system baseline but require verification to\n      ensure these common controls are supported by other organizations at a Reserve Bank or\n      other support organizations within the Federal Reserve System.\n\nWork To Be Done:\n\n      As discussed earlier, the System has established plans to implement an enterprise\n      information security program based on the NIST framework. The Reserve Banks plan to\n      transition through a multi-year approach and have started to train their staffs on the new\n      NIST compliant security program. As part of our ongoing work related to information\n      security, we will continue to monitor the CIO\xe2\x80\x99s and ISO\xe2\x80\x99s actions in overseeing the\n      Reserve Banks\xe2\x80\x99 compliance with FISMA as they transition to an information security\n      program based on the NIST framework.\n\n      As previously stated, NRAS was identified as a contracted service that is essential to the\n      Board\xe2\x80\x99s operations, but it is not listed on the Board\xe2\x80\x99s FISMA inventory. As part of our\n      security control review of the Board\xe2\x80\x99s PubWeb application, we identified another\n      contractor service that, although essential to the Board\xe2\x80\x99s recruitment process, was not\n      included on the Board\xe2\x80\x99s FISMA inventory. Since this system stores Board data, the ISO\n      should determine that security controls are in place. The ISO has stated the application\n      will be added to the Board\xe2\x80\x99s FISMA inventory, and that he is working with the division\n      to determine the appropriate security requirements. We believe that the CIO needs to\n      identify all information technology services provided by entities other than Board\n\n\n                                              23\n\x0c                                                                                    APPENDIX 1\n\n      personnel, and determine whether each needs to be accredited as a third party contractor\n      system or as part of any existing GSS or major application.\n\n      Recommendation 3: We recommend that the CIO identify all information technology\n                        services provided by organizations other than Board personnel, and\n                        determine if they need to be accredited as a third party contractor\n                        system or as part of an existing GSS or major application.\n\nContingency Planning Program\nRequirement:\n\n      FISMA requires that agency information security programs include plans and procedures\n      to ensure continuity of operations for information systems that support the agency\xe2\x80\x99s\n      operations and assets. Our analysis of the Board\xe2\x80\x99s information security program included\n      reviewing how the Board has established and is maintaining an entity-wide business\n      continuity/disaster recovery program that is consistent with NIST's and OMB's FISMA\n      requirements.\n\nProgress to Date:\n\n      The Board has established and is maintaining an agency-wide business continuity/disaster\n      recovery program that is consistent with NIST and OMB requirements. During the past\n      year, the Board continued to conduct semiannual contingency tests. Divisions participate\n      in the tests, and the ISO uses the Board\xe2\x80\x99s FISMA inventory to track the systems\n      participating in the testing. The IT Division\xe2\x80\x99s Strategic Plan for 2007-2010 outlined a\n      number of contingency objectives, one of which was bringing mainframe backup\n      capabilities in-house, which was accomplished. Also the Board continued to update\n      operations and preparations to address various aspects of contingency/continuity. This\n      includes enhancing tracking of any issues identified during the contingency exercises,\n      providing videoconferencing capabilities, and updates to contingency logistical guidance\n      in terms of contingency teams and accommodations.\n\nWork To Be Done:\n\n      During the Board\xe2\x80\x99s semiannual contingency tests, the IT division provides the\n      infrastructure services for system owners to test applications for their availability. As the\n      ISO develops a Board-wide IT risk management strategy identified in Recommendation 1\n      of this report, the ISO will need to consider the continuity and disaster recovery of critical\n      systems to ensure the strategy is both broad-based and comprehensive.\n\n      We indicated in our 2009 FISMA Report that we will continue to monitor the Board\xe2\x80\x99s\n      contingency processes and procedures as part of our ongoing FISMA work. We\n      participated in the March 2010 contingency test as observers and noted high level\n      strategic as well as technical/operational matters that require further detailed analysis to\n      address potential gaps that could hamper a smooth and efficient recovery of operations in\n\n                                               24\n\x0c                                                                                    APPENDIX 1\n\n      the event of a contingency. During our 2011 FISMA cycle, we are planning to perform\n      an audit of the overall Board contingency framework in order to provide input for\n      improvements or enhancements to the Board\xe2\x80\x99s preparedness for contingency/continuity.\n\nIncident Response & Reporting Program\nRequirement:\n\n      FISMA requires agencies to develop procedures for detecting, reporting, and responding\n      to security incidents. The procedures should include steps to mitigate risks from security\n      incidents before substantial damage is done and to notify and consult with the United\n      States Computer Emergency Readiness Team (US-CERT), appropriate law enforcement\n      agencies, and relevant IGs. US-CERT has established requirements for incident\n      reporting, which include establishing priority levels for categories of incidents and\n      timeframes for reporting each priority level.\n\nProgress to Date:\n\n      To assist Board staff in understanding their responsibilities related to security incidents,\n      the ISO has developed policy and procedures to inform employees of their\n      responsibilities for reporting incidents. When applicable, the CIO reports to the US-\n      CERT and law enforcement within established timeframes. In the past, the ISO has\n      responded to and resolved incidents in a timely manner to minimize further damage.\n\n      The ISO has started to develop quarterly information on security incidents for senior\n      management. The quarterly reports also included detail on incidents from across the\n      Reserve Banks for any BS&R delegated functions.\n\nWork To Be Done:\n\n      To reinforce employees\xe2\x80\x99 responsibilities, the ISO continues to post articles on this topic\n      on the Board\xe2\x80\x99s website as part of security awareness training. We will continue, as part\n      of our ongoing FISMA-related audit work, to monitor how the Board handles information\n      security incidents to ensure that incidents at the Board and the Reserve Banks continue to\n      be reported to US-CERT pursuant to the relevant requirements.\n\n\n\n\n                                                25\n\x0c\x0c                                                                                      APPENDIX 2\n\nDivision Director\xe2\x80\x99s Comments\n\n\n\n\n                                        November 15, 2010\n\n\nMs. Elizabeth A Coleman, Inspector General\nOffice of the Inspector General\nBoard of Governors of the Federal Reserve System\nWashington, D.C. 20551\n\nDear Ms. Coleman:\n\n        Thank you for the opportunity to comment on the Office of Inspector General\xe2\x80\x99s 2010\nreview of the Board\xe2\x80\x99s information security program. We are pleased that your assessment\ncontinues to recognize that the Board operates a comprehensive and effective information\nsecurity program and recognizes the progress we continue to make to enhance the program.\n\n        We generally agree with the three recommendations offered in your report. We intend to\ntake immediate action to address each of these recommendations. This includes updating our\nprogram documentation to more accurately reflect the risk management and continuous\nmonitoring programs. In addition, we will be reviewing the system inventory with each division\nand office to validate that all contractor services are correctly reflected in the inventory. We also\nplan to leverage the results from continuous monitoring program to offset compliance testing\nrequirements during 2011.\n\n        The Information Technology Division\xe2\x80\x99s Plan of Actions and Milestones will be updated\nto reflect this corrective action. We look forward to continuing to work with your office.\n\n                                             Sincerely,\n\n                                              /signed/\n\n                                        Maureen Hannan\n                          Director, Division of Information Technology\n\ncc:    Mr. Geary Cunningham\n       Mr. Andrew Patchan\n       Mr. Ray Romero\n\n\n\n                                                 27\n\x0c\x0c                                                              APPENDIX 3\n\n\n\nPrincipal Contributors to the Report\nRobert McMillon, Auditor-in-Charge\n\nRichard Allen, Senior IT Auditor\n\nSatynarayana-Setty Sriram, IT Auditor\n\nRobert Delgesso, IT Auditor\n\nPeter Sheridan, OIG Manager\n\nAndrew Patchan, Jr., Associate Inspector General for Audits\n\n\n\n\n                                              29\n\x0c"